API
REST endpoints for querying your Decoy workspace programmatically.
All endpoints live on app.decoy.run under /api/. The full, machine-readable
spec is always at:
GET https://app.decoy.run/api/openapi.jsonThis page highlights the endpoints most integrations use. Every request authenticates with a bearer token from your dashboard.
Base URL
https://app.decoy.runcurl -H "Authorization: Bearer $DECOY_TOKEN" https://app.decoy.run/api/triggersCore endpoints
Triggers & agents
GET /api/triggers— recent tripwire trigger eventsGET /api/triggers/export— export as CSV or JSONGET /api/agents— connected agents with fingerprint, status, last seenPATCH /api/agents— pause, resume, or revoke an agent
Threat intel (Pro+)
GET /api/feed— structured JSON threat feed. Filter bycategory,severity,source, and date range.
Scans
POST /api/scan/upload— upload scan results to your workspaceGET /api/scan/history— list past scansGET /api/scan/results— fetch a specific scanGET /api/scan/schedule/POST /api/scan/schedule— continuous scanning (Business tier)
Red team (Pro+)
POST /api/redteam/plan— generate an attack plan from scan resultsPOST /api/redteam/iterate— adapt attacks based on responsesPOST /api/redteam/fix— suggested remediationsGET /api/redteam/history/GET /api/redteam/results
Workspace
GET /api/config/PATCH /api/config— alert configurationGET /api/tokens/POST /api/tokens/DELETE /api/tokens— API tokensGET /api/risk— rollup risk score for your workspaceGET /api/billing— current plan and limits
Rate limits
Limits are per-token and per-tier. Current values are returned in
X-RateLimit-* response headers on every call.
Authentication errors
Missing or invalid tokens return 401 with:
{ "error": "Invalid token. Get a valid token at https://decoy.run or via POST /api/signup" }Grab a token from the dashboard or create one with POST /api/signup (email
required, no credit card for Free).